AZ DNR, LLC d/b/a ERC, LLC v. Luxury Travel Brokers, Inc. and Timothy W. Gibson (D. Kan. Oct. 24, 2014). Litigation between brokers has revealed some of the inner workings of the secondary wholesale market for frequent flyer program points and miles. In its complaint, ERC alleged that it is “in the business of purchasing and repurposing unwanted credit card reward points and frequent flyer miles” from consumers. ERC deposits the purchased points and miles in a “bank” it maintains and then resells them to travel agencies and other customers. Luxury Travel Brokers, which does business as “Flyer Miles” and “Flyer Smiles,” bought points and miles from ERC for resale to its own wholesale and retail customers.

Over time, ERC and Luxury Travel became so chummy that ERC permitted Luxury Travel to “self-serve” by accessing the bank directly and withdrawing points and miles as needed. However, according to ERC, Luxury Travel became too familiar with the bank, helping itself to points and miles but not paying for them, and even taking points and miles that were not available for purchase. When the parties’ negotiations over compensation for the excessive self-service failed, ERC filed suit. ERC sued not only Luxury Travel but Timothy Gibson, the owner of Flyer Miles and Flyer Smiles, as well. ERC’s complaint asserted claims for tortious interference with contracts and prospective contracts, violation of the federal Computer Fraud and Abuse Act, breach of contract and unjust enrichment.

The defendants filed a motion to dismiss. Their main argument was that ERC lacked standing to bring the lawsuit because ERC “has no legitimate property rights” in the points and miles in the bank because “[p]ursuant to the contracts between these customers and the airlines and financial institutions, these frequent flier miles and reward points are generally the property of the airlines and financial institutions, until redeemed by the customer.” The court denied the motion to dismiss, primarily because the motion raised various factual defenses that the court could not consider in deciding a motion to dismiss. For example, the court ruled that ERC had “sufficiently alleged” that it “purchased points and miles from others.”

The defendants then filed their answer to the complaint. Ironically, one of their affirmative defenses, entitled “public policy,” mirrored the primary claim that airlines typically assert in lawsuits against brokers; the defendants explained their “public policy” defense as follows: “Plaintiff’s recovery in this matter is barred for the reason that Plaintiff’s alleged sale of frequent flier miles and credit card reward points necessarily involves the breach of Plaintiff’s ‘customers’ [sic] third party contracts with airlines and financial institutions. Thus, Plaintiff cannot show that it has any lawful right that has been interfered with. Furthermore, it would be against public policy to allow an individual to sue for interference with property rights that are only ‘acquired,’ to the extent they are so acquired, if at all, via the necessary breach of an individual’s third party contract with another individual.”

However, the defendants will not have the opportunity to prove at trial that the brokerage of points and miles fundamentally violates public policy. Due to what the court described as the defendants’ “pattern of intransigence and violations of Court orders,” it entered a default judgment against them. The remainder of the case will be limited to litigation over the quantification of the damages to which ERC is entitled and whether ERC is entitled to injunctive relief. The damages phase of the lawsuit should provide an additional insight into this secondary wholesale market by showing the value that market participants place on points and miles.

Note: ERC operates the website earnrewardscash.com, which advertises that “We Buy CREDIT CARD POINTS and AIRLINE MILES! Safe. Simple. Discreet. Guaranteed.” Timothy Gibson was the founder of Alpha Media Group, LLC, which does business as Alpha Flight Guru and operates the website alphaflightguru.com.

Update: On May 21, 2015, the court entered a judgment in ERC’s favor for $502,543.46 against Luxury Travel Brokers and Timothy Gibson.

Lavine v. American Airlines, Inc. (Md. Special App. Dec. 1, 2011). Using aa.com, the plaintiffs bought two American Airlines tickets for roundtrip transportation originating and terminating at Reagan National Airport, with an intermediate stop at Key West International Airport. Their outbound itinerary included a connecting flight from Miami International Airport to Key West. They received an email confirmation that referred to, incorporated, and contained a link to, American’s Conditions of Carriage.

According to the plaintiffs, American personnel at DCA informed them that the flight to MIA was delayed. The plaintiffs claimed that they requested seats on another flight or a refund and that they only boarded the delayed flight after having been assured by American personnel that, despite the delay, the airline “would provide” them with the connecting flight to Key West. The plaintiffs alleged that, upon arrival at MIA, American personnel informed them that they only had 15 minutes to reach the gate for the connecting flight. The plaintiffs asserted that they ran through the airport, inhaling construction debris along the way, but that American did not permit them to board the connecting flight because they had arrived too late. American obtained and paid for a hotel room for the plaintiffs and gave them a stipend for dinner and breakfast. The plaintiffs traveled to Key West on an American flight the next day.

In their lawsuit against American, the plaintiffs alleged five counts based on common law theories of negligent and intentional misrepresentation and demanded $10,000 in compensatory damages and $10,000 in punitive damages. The plaintiffs appealed after the trial court granted the airline’s motion for summary judgment.

The appeals court affirmed the trial court’s judgment. First, the appeals court held that American was entitled, under 49 U.S.C. § 41707 and 14 C.F.R. Part 253, to incorporate the Conditions of Carriage by reference, that the airline had in fact done so and that the plaintiffs’ allegation that they had not seen, or agreed to, the Conditions of Carriage did not create a genuine dispute of material fact.

The court then held that the Conditions of Carriage operated to prevent the plaintiffs from being able to prove the “false statement” and “reliance” elements of their negligent and intentional misrepresentation claims. The court held that the plaintiffs could not prove the “false statement” element due to the limitation of liability clauses of the Conditions of Carriage, which provided as follows: “American is not responsible for or liable for failure to make connections, or to operate any flight according to schedule, or for a change to the schedule of any flight. Under no circumstances shall American be liable for any special, incidental or consequential damages arising from the foregoing.”

Next, the court held that the plaintiffs had failed to prove reliance on any alleged verbal representations by American personnel because Mr. Lavine, as “an experienced attorney licensed to practice law in Maryland,” could not have justifiably relied on any such representations in view of the limitation of liability clauses in the Conditions of Carriage and a clause providing that “times shown in timetables or elsewhere are not guaranteed and form no part of this contract.”

The court then held that the plaintiffs had failed to establish the proximate cause element of the causes of action because “it is not foreseeable that [appellants] would inhale construction debris and sustain personal injury as a result of an airline scheduling delay.”

Finally, even if the plaintiffs had been able to establish the elements of their causes of action, their claims would not have made it past 49 U.S.C. § 41713(b)(1), the preemption provision of the Airline Deregulation Act, which provides that “a State . . . may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” The court held that this provision preempted the plaintiffs’ tort claims because they were “related to” American’s boarding procedures, which constituted a “service” provided by the airline.

Note: This opinion has generated interest among non-aviation business litigators and transactional attorneys in Maryland. In holding that the Conditions of Carriage were part of the parties’ contracts, the court rejected the plaintiffs’ argument that, even if the Conditions were part of the contracts, there was a dispute of fact because American personnel, by their verbal statements at the airport, had modified the Conditions. The court relied on the “non-modification” clause of the Conditions in rejecting this argument; that clause stated that “[n]o agent, employee or representative of American has authority to alter, modify or waive any provision of the Conditions of Carriage unless authorized in writing by a corporate officer of American,” and the plaintiffs had not offered proof of a corporate officer’s written modification. Some commentators have opined that this decision appears to conflict with prior Maryland decisions holding that, despite a contractual requirement that any modifications be written, parties can nevertheless verbally modify contracts. It appears that the more rigorous “corporate officer” written modification requirement gave the court comfort to enforce the non-modification clause in this case.

Note: This post is an abridged version of the article I wrote for the Autumn 2010 issue of Issues in Aviation Law and Policy, which is published by the International Aviation Law Institute of DePaul University College of Law. Click here for the full version.

Until the last few years, airlines sustained significant revenue losses from “bust-outs” by Airlines Reporting Corporation (ARC)-accredited travel agencies. In a bust-out, an agency’s owners validate and sell vast numbers of tickets in a short period of time to individuals and other agencies, fail to report the sales to ARC, and disappear with the proceeds. Due to technological innovations and aggressive enforcement activities, primarily driven by ARC, bust-outs are now comparatively rare.

Airlines still suffer revenue losses from ticket-related fraud, but now that type of fraud mostly results from online conduct by persons who are not affiliated with ARC agencies. Online fraud, primarily the illicit sale of tickets purchased over the Internet by persons using stolen credit and debit card numbers, is a significant source of revenue loss for airlines. This past summer, federal authorities charged 38 defendants “in a series of indictments that allege an extensive network of black market travel agents who used the stolen identities of thousands of victims as part of a multi-million dollar fraud scheme to purchase airline tickets for their customers.” News Release, Office of the U.S. Attorney, W. District of Missouri, Black Market Travel Agents – 38 Defendants Indicted in Multi-Million Dollar Fraud (July 9, 2010). Losses from this scheme allegedly exceeded $20 million. According to one survey, airlines suffered losses of over $1.4 billion in 2008 due to online fraud. Airlines Tackle $1.4 Billion Online Fraud Challenge, Cybersource (Mar. 16, 2009).

Airlines also sustain online-related revenue losses from fraud by frequent flyer mileage brokers and website abuse by “screen scraper” travel information providers. Ironically, just as technology was instrumental in reducing the incidence of bust-outs, it is technology, mainly in the form of the Internet, which makes these other forms of fraud and abuse possible.

Alaska Airlines’s recent successful use of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, in federal court against a defiant, long-time frequent flyer mileage broker demonstrates that the Act can be effectively used to combat online fraud and abuse. Having the CFAA as a gateway to federal court, through federal question jurisdiction under 28 U.S.C. § 1331, is particularly important for airlines because, in general, cases move more quickly, and summary judgment is more readily available, in federal district courts than in state courts. Moreover, airlines can no longer depend as heavily as they once did on federal trademark infringement or other Lanham Act causes of action to obtain federal question jurisdiction, as mileage brokers appear to be lessening their use of airline logos, trade names, and other trademarks on their websites in an effort to avoid drawing airlines’ attention.

A CFAA cause of action can serve as a powerful weapon, but, in general, courts are cautious about using the CFAA in a civil setting and thoroughly scrutinize evidence offered by a plaintiff in support of its CFAA cause of action. As a result, an airline must make sure that its website’s terms of use are correctly set up so they can help support a CFAA cause of action, and as soon as online-based fraud or abuse is detected, an airline needs to take steps to ensure that it will be able to prove the elements of a CFAA cause of action, particularly with respect to the “loss” element, which various federal courts have construed differently. These protective measures are discussed in detail below.

Introduction to the Act

In the early 1980s, computer hackers began to penetrate government and private computer systems. Gradually, the public began to become aware of these shadowy figures, who used a combination of telephones and “social engineering” (tricking people into disclosing information) to hack into computer systems and steal information or cause damage.

Oddly, Hollywood provided a major impetus for legislative change to address the hacker problem. In 1983, the movie “WarGames” was released, and it dramatically increased the public’s – and Congress’ – awareness of computer hacking. In the movie, a high school-age computer geek unknowingly hacks into a NORAD computer system using his personal computer and a telephone and nearly causes a global nuclear war. Partly as a result of this movie, and its far-fetched premise that a teenage hacker could cause the launch of nuclear missiles, Congress enacted the CFAA, which was then called the “Counterfeit Access Device and Computer Fraud and Abuse Act of 1984.” (For those who doubt that a movie featuring the escapades of Matthew Broderick and Ally Sheedy spurred the enactment of federal computer crime legislation, see H.R. Rep. No. 98-894, at 6 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3695 (“For example, the motion picture ‘War Games’ showed a realistic representation of the automatic dialing and access capabilities of the personal computer.”).)

The Report of the House Committee on the Judiciary summarized the need for the legislation as follows: “The committee concluded that the law enforcement community, those who own and operate computers, as well as those who may be tempted to commit crimes by unauthorized access to them, require a clearer statement of proscribed activity.”

The goal of articulating a “clearer statement of proscribed activity” has been difficult for Congress to achieve, and, as a result, it has repeatedly amended the CFAA over the years. The amendments have caused the Act’s reach to broaden substantially, just as the prevalence of computers themselves has increased. For example, the CFAA initially was a criminal statute only. In 1994, Congress amended the Act to add a civil cause of action, which is now codified at 18 U.S.C. § 1030(g), under which victims of computer fraud or abuse can assert claims against violators of the statute. Also, the statute was originally intended to control interstate computer crime only, but, with the development of the Internet, virtually all computer use has become interstate use and thus subject to the Act.

The Act’s Civil Cause of Action

Although the CFAA prohibits seven separate types of activities, airline plaintiffs typically proceed against offenders under Section 1030(a)(4), which prohibits a person from “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.”

The Act defines a “protected computer” as a computer “which is used in or affecting interstate or foreign commerce or communication.” Thus, as noted above, the Act covers, in essence, any computer that is connected to the Internet, which means that it covers virtually all modern computers. Certainly, any computer that hosts an airline’s website or frequent flyer mileage program constitutes a “protected computer” under the Act.

To prevail on a claim under Section 1030(a)(4), an airline plaintiff must prove that the defendant caused a “loss” to the airline “during any 1-year period . . . aggregating at least $5,000 in value.” The Act defines the term “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” The “cost of responding to an offense” includes the “consequential” costs incurred in investigating an offense and taking remedial measures in response to it.

An airline plaintiff that has sustained a “loss” through violations of the Act is entitled to “maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” Actions must be brought within two years of the offensive conduct or the date of the discovery of the actionable damage.

History of Cases Brought by Airlines Under the Act

In court, airlines have had some successes with CFAA causes of action. Although issues regarding whether defendants have accessed airline computers “without authorization” or have “exceed[ed] authorized access” have been litigated in several cases, the primary battleground has been the issue of whether the airline plaintiff has been able to prove that it sustained a “loss” within the meaning of Section 1030(c)(4)(A)(i)(I).

Southwest’s Cases

Of all airlines, Southwest Airlines has been, by far, the most active in bringing CFAA causes of action in court. Southwest’s experiences in litigating the “loss” element of the CFAA cause of action in the three cases are instructive.

Southwest v. FareChase. In 2003, Southwest sued a software company that developed and licensed software that had the ability to send out “a robot, spider, or other automated scraping device” via the Internet to obtain fare, route, and schedule information from southwest.com, as well as a company that was using such software, pursuant to a license, for use by its corporate traveler customers. Southwest Airlines Co. v. FareChase, Inc., 318 F. Supp. 2d 435, 437 (N.D. Tex. 2004). In its complaint, Southwest claimed that the defendants’ activities directed at southwest.com were unauthorized and were deceiving Southwest’s customers by providing them with incomplete and inaccurate information. Southwest alleged 12 causes of action in its complaint, including a CFAA cause of action.

The defendant that had been using the software moved to dismiss, among other things, Southwest’s CFAA claim pursuant to Federal Rule of Civil Procedure 12(b)(6) because the complaint supposedly had failed to adequately allege “loss” and unauthorized access to southwest.com. The court rejected both arguments.

As to the “loss” issue, the court held that, because the complaint alleged “loss” aggregating at least $5,000 pursuant to Section 1030(e)(11), Southwest did not need to also allege “damage” to its computer or data pursuant to Section 1030(e)(8), as the defendant had contended. The court also held that Southwest had adequately alleged unauthorized access under the CFAA because southwest.com’s Use Agreement, which was accessible from all pages on the site, specifically informed users that the use of “automated scraper devices” on the site was prohibited.

In its complaint, Southwest alleged, among other things, that BoardFirst’s conduct violated the CFAA, and Southwest moved for summary judgment on its claims. The court held that Southwest was not entitled to summary judgment on its CFAA claim. The court agreed with Southwest that, by logging on to southwest.com, BoardFirst had been “intentionally access[ing]” Southwest’s computer within the meaning of the CFAA. However, the court asked the parties to provide additional briefing on the issue of whether BoardFirst had acted “without authorization” or had “exceed[ed] authorized access,” as well as whether the court should apply the “rule of lenity” in interpreting the CFAA in the context of the case. The rule of lenity “counsels courts to construe ambiguities in a criminal statute, even when applied in a civil setting, in a narrow way.”

The court then addressed whether Southwest had satisfied the CFAA requirement that it show a “loss” of more than $5,000 in a one year period due to BoardFirst’s conduct. To support its “loss” claim, Southwest had submitted the declaration of its corporate representative on damages, which stated that “Southwest spent at least $6,500 within a single one year period in investigating and responding to BoardFirst’s unauthorized access to Southwest’s computer system.”

The court ruled that, although “investigative and responsive costs fit within the concept of ‘loss’ as used in the CFAA,” the corporate representative’s declaration was “fairly conclusory,” and thus inadequate to establish “loss,” because the declarant had failed “to identify the precise steps taken by Southwest in ‘investigating and responding to’ BoardFirst’s unauthorized access.” This failure, according to the court, prevented it from being able to determine if Southwest’s response costs were “reasonable,” as required by the Act’s definition of the term “loss.” However, Southwest did succeed in shutting down BoardFirst’s operations; on the basis of Southwest’s breach of contract claim, the court permanently enjoined BoardFirst from continuing to use southwest.com to obtain boarding passes for its customers.

Southwest v. Harris. In 2007, Southwest sued eight defendants, alleging that they had engaged in brokering of the airline’s Rapid Rewards frequent flyer plan miles and awards. In its complaint, Southwest advanced a CFAA cause of action, its only federal cause of action, as well as numerous state statutory and common law causes of action.

The defendants moved to dismiss the complaint for lack of subject matter jurisdiction, alleging that they had not “accessed” Southwest’s computer system within the meaning of the CFAA. Southwest focused its opposition solely on the “access” element of the CFAA because that is the only one that the defendants had disputed, but, in deciding the motion, the United States Magistrate Judge decided to analyze all the elements of the CFAA cause of action, including whether Southwest had sustained a “loss” within the meaning of Sections 1030(c)(4)(A)(i)(I) and (e)(11). Southwest Airlines Co. v. Harris, 2007 WL 3285616 at *3-4 (N.D. Tex. 2007).

In his ruling, the Magistrate Judge noted that, under the Act, Southwest was required to show that it had sustained a “loss aggregating at least $5,000 in value over a one-year period.” The Magistrate Judge also noted that, under Section 1030(e)(11), the Act defines the term “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In its complaint, Southwest alleged that it had incurred a “loss” within the meaning of the Act because it had lost more than $5,000 in revenue in one year due to numerous passengers having traveled on its flights using awards that were void because defendants had brokered them in violation of the Rapid Rewards program’s terms. Taking a narrow view of the Act’s definition of “loss,” the Magistrate Judge ruled that the form of loss alleged by Southwest did not fall under the definition set forth in Section 1030(e)(11) because the revenue at issue had not been lost “because of interruption of service.” Accordingly, the Magistrate Judge recommended that the defendants’ motion to dismiss be granted, and the District Court accepted his recommendation.

The court in Harris is not alone in its view that lost revenue must result from a service interruption in order to constitute a “loss” within the meaning of Section 1030(e)(11). In fact, this appears to be the majority view on this issue. See Costar Realty Information, Inc. v. Field, 2010 WL 3369349 at *15 (D. Md. 2010). However, some courts have ruled that lost revenue does constitute “loss” within the meaning of Section 1030(e)(11) even if it does not result from a service interruption. See, e.g., Frees, Inc. v. McMillian, 2007 WL 2264457 at *6 (W.D. La. 2007). This issue was recently addressed in a case brought by Alaska Airlines.

Alaska Airlines v. Carey

Brad Carey is no stranger to lawsuits brought against him by airlines seeking injunctive relief against, and damages arising from, his frequent flyer mileage brokering. Northwest Airlines sued Carey for mileage brokering in 1991, and, the next year, the court granted the airline a permanent injunction and a stipulated judgment for $200,000. United Airlines sued Carey for mileage brokering in 1992, and again in 2005 for violation of the permanent injunction entered against him in the first case in 1993. In its summary judgment memorandum in the case discussed below, Alaska Airlines referred to Carey as “an incorrigible and devious scofflaw.”

In 2007, Alaska Airlines filed a lawsuit in the United States District Court for the District of Washington against Carey, his wife, and Carey Travel, Inc. seeking damages and injunctive relief related to Carey’s brokering of frequent flyer miles and award tickets. Like other frequent flyer programs, the terms of Alaska Airlines’s program, which is known as the “Mileage Plan,” prohibit its members from selling, purchasing, or bartering miles or award tickets, and stipulate that miles and award tickets “are void if transferred for cash or other consideration.”

In its amended complaint, Alaska Airlines set forth eight causes of action, but its CFAA cause of action was the only federal statutory cause of action in its pleading and, thus, the sole basis for the court’s subject matter jurisdiction under 28 U.S.C. § 1331.

According to Alaska Airlines, Carey operated the following scheme in violation of the CFAA. Carey would solicit Mileage Plan members to sell their miles to him. He would pay the members a set number of cents per mile, and the members would provide him with their online Mileage Plan username and password. Carey would then be contacted by persons looking to buy an Alaska Airlines ticket, and he would agree to sell them a ticket. Carey would then log on to Alaska Airlines’s website using a Mileage Plan member’s username and password and purchase the requested ticket in the name of the buyer. Carey would then pass the electronic ticket information to the buyer, along with the instruction that, if asked, the buyer should explain that the award ticket was received “free, free, free” as a gift.

In the litigation before the District Court, Alaska Airlines claimed that Carey was violating the CFAA by, “with intent to defraud,” accessing its computer system “without authorization” by using others’ account information without the airline’s permission for the sole purpose of fraudulently causing the airline to issue tickets and provide transportation based on void miles and award tickets.

The District Court agreed with Alaska Airlines that Carey had violated the CFAA, and it entered summary judgment in its favor and a permanent injunction against the defendants. The Ninth Circuit agreed as well, affirming the District Court’s rulings in all respects. Alaska Airlines, Inc. v. Carey, 2009 WL 3633894 (W.D. Wash. 2009), amended, 2010 WL 2196446 (W.D. Wash. 2010), aff’d, 2010 WL 3677783 (9th Cir. 2010). However, neither the District Court’s order granting summary judgment, its amended order granting summary judgment, nor the Ninth Circuit’s memorandum opinion affirming the District Court’s decision contains an extensive discussion of the CFAA cause of action. Only the transcript of the District Court’s oral decision at the hearing on Alaska Airlines’s motion for summary judgment offers insight into either court’s thinking on the CFAA issues.

At the summary judgment hearing, the District Court ruled that Alaska Airlines had proven the elements of its CFAA cause of action. As to the unauthorized access element, the court held that using a frequent flyer program member’s online username and password, even with the member’s permission, to perpetrate a fraud against the airline constitutes “access[ing] a protected computer without authorization” in violation of the CFAA. In ruling in this manner, the court rejected Carey’s contention that his access was authorized because the selling Mileage Plan members had given him permission to use their website login information. The court pointed out that the victim of Carey’s fraud was Alaska Airlines and that the airline owned and operated its site, solely determined authorized access to it, and had not given Carey the authority to use its site to perpetrate a fraud against it.

In addition, the court ruled at the summary judgment hearing that Alaska Airlines had proven the “loss” element of its CFAA cause of action:

The statutory dollar value, the Court is satisfied, is met in aggregating the cost of policing the system in order for Alaska Airlines to maintain the continued integrity and viability of its frequent flyer system.

The fact of damage here is not a close question in my judgment. Not only do we have the in excess of $5,000 spent by Alaska Airlines to fulfill its business interest in maintaining the integrity of its mileage system, but as in the Texas case of Frequent Flyer Depot v. American Airlines, it is also clear to me that there has been a loss of goodwill. Any time a valid frequent flyer mile customer does not have a seat available on a plane because of someone who improperly aggregated miles and obtained a travel award in violation of the terms and conditions, that results in a loss of goodwill, a loss of respect and confidence in the system that Alaska Airlines and, I might add, most other carriers have promoted and spent a goodly amount of money in advertising and promoting for their economic advantage.

The District Court was able to conclude that Alaska Airlines had incurred costs in excess of $5,000 in a one-year period responding to Carey’s offenses because the airline had submitted, in support of its summary judgment motion, the declaration of its Director, Customer Loyalty & Marketing Programs, in which he attested that the airline had expended over $5,000 in manpower in a one-year period while “tracking and attempting to curtail Defendants’ abuses of the system.” The court relied on this declaration in ruling that Alaska Airlines had satisfied the “loss” element of its CFAA cause of action.

CFAA Pointers

The CFAA is a potentially powerful weapon against mileage brokers, “screen scrapers” and others who threaten an airline’s revenues through conduct that involves accessing the airline’s computers. But, in general, judges appear to be reluctant to award relief under the CFAA because the law is relatively new and it was originally enacted as a criminal statute designed to stop computer hackers, and a mileage broker is very different from a hacker. This means that, knowingly or unknowingly, judges are likely to apply “the rule of lenity” in analyzing whether an airline has proven the elements of a CFAA claim. However, if an airline takes the following steps, it can substantially increase the odds of obtaining favorable and relatively quick relief under the CFAA:

The frequent flyer program’s rules should contain a term that clearly states that a member is not authorized to allow a third party to use the member’s user identification or password in order to log in to the member’s account to perform any transaction that violates the program’s terms. This term would make it difficult for a mileage broker to successfully argue, using an agency theory, that he did not violate the CFAA because the member had given him “authorization” to “access” the airline’s computer by using the member’s login information.

To combat automated “screen scraper” devices, the terms of use of an airline’s website should specifically prohibit such devices, and the terms of use should be accessible from all pages on the site. This term would help an airline satisfy the requirement that it show that the CFAA offender had accessed the airline’s computer “without authorization.”

An airline should focus on proving its damages as soon as online fraud or abuse is detected. At the outset in most fraud cases, the plaintiff’s focus is primarily on proving liability, and the computation of damages is often left for discovery or for an expert witness to handle at a later time. However, to help prosecute a CFAA claim, an airline must prepare to prove its “loss” before the litigation and as soon as the offending conduct is identified. If the defendant moves to dismiss a CFAA cause of action on the grounds that the airline has failed to properly plead a “loss” (i.e., the defendant makes a “factual attack” on subject matter jurisdiction grounds), the airline will be required to oppose the motion with admissible evidence. Such evidence must be collected before the case is filed.

To ensure that an airline has sufficient evidence of “loss,” as soon as online fraud or abuse is detected, the airline personnel (or outside contractors) investigating and responding to the offending conduct should keep daily logs describing the tasks they have performed and the time spent performing them. It is critically important that the logs (and the contractor invoices, if any) describe how the tasks performed were in direct response to the CFAA violations. Otherwise, there is a substantial risk that a court will hold that the airline has failed to prove that the employee time, or other response costs incurred, constitute “reasonable” costs within the meaning of Section 1030(e)(11).

In the court complaint, in addition to alleging revenue and goodwill loss due to the defendant’s CFAA offenses, an airline should separately allege that, as “the cost of responding to” such offenses, it has incurred aggregated costs exceeding $5,000 in a one-year period. “The cost of responding to an offense” is considered “loss” under the CFAA. Courts have held that employee response time counts toward the $5,000 threshold. Once the airline has its “foot in the door” as to the CFAA by proving that its response costs exceeded $5,000 in a one-year period, then it can seek to recover revenue under common law fraud and other causes of action that was lost for reasons other than an “interruption of service.”

If damages are relatively unimportant, difficult to prove, or likely to be impossible to recover, and an airline’s primary objective is to stop the defendant’s online fraud or abuse, then the airline should consider dismissing its damages request at some point, particularly where a state statute could provide a cause of action for attorneys’ fees and costs. (In the Carey case, the court awarded Alaska Airlines attorneys’ fees of over $122,000 and litigation expenses of over $4,500 in connection with its successful claim that the defendants had violated the Washington Consumer Protection Act.) Streamlining the case in this manner would increase the likelihood that an airline would be able to obtain a permanent injunction at the summary judgment stage and end the case without having to engage in potentially costly and time-consuming damages-related discovery.

Onyiuke v. Cheap Tickets, Inc. & Virgin Atlantic Airways Limited (D.N.J. Dec. 31, 2009). In August 2008, the plaintiff purchased a ticket, through CheapTickets.com, for roundtrip travel from Newark Liberty International Airport to Lagos, Nigeria, connecting in Gatwick Airport. The first segment was to be on a Continental flight in mid-December 2009, and the connecting flight was on Virgin Nigeria Airways. The ticket cost $1,563.

In early December, CheapTickets notified the plaintiff that Continental had discontinued service between Newark and Gatwick and offered him the choice of a modified flight arrangement or a full refund. The plaintiff refused to accept either alternative. Instead, he purchased a replacement ticket through a different online travel agency for $3,163 and, acting pro se, filed a lawsuit in federal court.

In his 85-paragraph, 25-page amended complaint, the plaintiff asserted diversity jurisdiction under 28 U.S.C. § 1332 and set forth causes of action for breach of contract and conversion against each defendant. He demanded damages of approximately $127,000 from each defendant, including “mental agony” damages of $25,000 in connection with his contract claims and punitive damages of $80,000 in connection with his conversion claims.

Each defendant moved to dismiss pursuant to Rule 12(b)(1) on the grounds that the court lacked subject matter jurisdiction because the amount in controversy did not exceed $75,000 and, in fact, was limited to the refund value of the plaintiff’s ticket. In addition, Virgin Atlantic moved to dismiss under Rule 12(b)(6) on the separate grounds that, except for the refund value of his ticket, the plaintiff’s claims were preempted by the Airline Deregulation Act, 49 U.S.C. § 41713(b)(1), because they were based on state law and “related to a price, route, or service” of an airline.

The court agreed that it lacked subject matter jurisdiction. First, the court struck the plaintiff’s $80,000 punitive damages demands, which the plaintiff had requested in connection with his conversion claims, from the amount in controversy. The court ruled that the plaintiff had failed to allege any facts indicating that either defendant had acted with “actual malice,” which a plaintiff must prove to recover punitive damages for a conversion claim under New Jersey law. The court also pointed out that any “actual malice” assertion was undercut by the fact that it was Continental, and not either defendant, which had discontinued the Newark to Gatwick service, and by both parties’ offers to refund the ticket price to the plaintiff.

Next, the court struck the plaintiff’s $25,000 “mental agony” damages demands, which the plaintiff had requested in connection his contract claims, from the amount in controversy. The court ruled that the plaintiff’s alleged “mental anguish arising from the loss of a bargain,” embarrassment from having to borrow money from friends and relatives and stress and inconvenience did not amount to the “severe emotional distress” required under New Jersey law to establish a claim for emotional distress arising from a contract breach.

After striking the plaintiff’s demands for punitive and mental agony damages, the plaintiff’s claims were below the jurisdictional minimum, so the court dismissed the amended complaint for lack of subject matter jurisdiction. Because the court dismissed the amended complaint on this basis, it did not reach Virgin Atlantic’s alternative preemption argument.

Update: On August 23, 2010, the court denied the plaintiff’s motion for reconsideration. On September 17, 2010, the plaintiff filed a notice of appeal.

Southwest Airlines Co. v. BoardFirst, L.L.C. (N.D. Tex. Sept. 12, 2007). BoardFirst went into business in 2005 to assist Southwest passengers in obtaining the coveted “A” group boarding passes. “A” boarding passes are obtained by the first 45 passengers to check in, and “A” passengers are the first to board the aircraft. A BoardFirst customer authorizes the company to act as the customer’s agent. When the customer’s boarding pass becomes available, a BoardFirst employee uses the customer’s personal information to log onto southwest.com and attempt to obtain an “A” boarding pass for the customer. BoardFirst notifies its customer if it was successful; if so, BoardFirst collects a $5 fee from the customer, who prints the boarding pass via southwest.com or at an airport kiosk.

Southwest sent BoardFirst cease and desist letters, but BoardFirst continued to operate. So Southwest sued BoardFirst, alleging causes of action for breach of contract, violation of the federal Computer Fraud and Abuse Act and for violation of a Texas statute prohibiting harmful access to a computer. Southwest sought damages as well as a permanent injunction against BoardFirst’s operations. Southwest moved for partial summary judgment on its causes of action and on BoardFirst’s counterclaims for tortious interference with contractual relations.

The court granted Southwest’s motion as to its breach of contract cause of action, holding that BoardFirst had breached the parties’ “browsewrap” agreement. A browsewrap agreement is entered into between a web site owner and a user of the site when the user accesses the site after having received actual or constructive knowledge that such access constitutes acceptance of the site’s terms and conditions.

Southwest.com’s home page displayed a notice stating that use of the site constitutes acceptance of Southwest’s terms and conditions, one of which was that site use was only permitted for “personal, non-commercial purposes.” The court held that BoardFirst had actual knowledge of the prohibition against commercial use of the site since at least the time it received Southwest’s first cease and desist letter. BoardFirst argued that it did not breach the contract because its use of the site was authorized by its customers. The court rejected this argument, holding that BoardFirst’s authorization to act for its customers “does not make its conduct any less of a violation of the Terms.”

The court then considered whether Southwest had suffered damages due to BoardFirst’s conduct. Southwest argued that it had incurred damages because BoardFirst’s activities had decreased traffic on its site, thereby depriving Southwest of selling and advertising opportunities, and because BoardFirst’s activities had interfered with Southwest’s effort to build an “egalitarian” image by creating a “de facto first class” for its flights.

The court held that Southwest was entitled to damages but that its damages were impossible to quantify, thus making the remedy of a permanent injunction “particularly suitable.” The court permanently enjoined BoardFirst “from using southwest.com in a way that breaches the Terms posted on the site.” The court denied Southwest’s motion as to its federal and state computer-related causes of action and as to BoardFirst’s tortious interference counterclaims.

Note: This opinion is significant because many web site owners, such as Ticketmaster in its lawsuit against Tickets.com, have failed to persuade courts to enforce their sites’ terms and conditions. The opinion provides an effective road map for airlines that wish to make sure that users of their sites comply with the sites’ rules.

Northwest Airlines, Inc. v. Bauer (D. N.D. Dec. 15, 2006). Since the early days of the Internet, various web site owners have brazenly offered to buy and sell airline discount and upgrade certificates, a direct violation of the terms governing such certificates. To add insult to injury, these sites have often used airline logos and other valuable trademarks to promote their illicit services by confusing consumers into believing that there was some association between the airlines and the site. Northwest decided to take action against one such site owner and has been successful in its initial efforts.

Northwest became aware that the owner of “northwestdiscountcoupons.com” was offering the airline’s e-Certificates for sale. The airline distributes e-Certificates to passengers who have experienced flight delays and other problems; they allow the holder to obtain substantial discounts on ticket purchases. By their terms, e-Certificates may be transferred but not sold.

In its lawsuit, Northwest requested injunctive relief and monetary damages as remedies for the site owner’s infringement of the airline’s marks and fraudulent sale of e-Certificates. The airline immediately moved for a temporary restraining order prohibiting further e-Certificate buying and selling, as well as further use of the northwestdiscountcoupons.com site or any other term that is confusingly similar to any Northwest trademark. The court granted the TRO.

Update: In September 2007, the parties filed, and the court approved, a Consent Judgment and Permanent Injunction, thereby ending the case.